You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Marc Slemko <ma...@znep.com> on 2000/02/21 19:50:03 UTC

Re: mod_log-any/5747 (fwd)

The following reply was made to PR mod_log-any/5747; it has been noted by GNATS.

From: Marc Slemko <ma...@znep.com>
To: Apache bugs database <ap...@apache.org>
Cc:  
Subject: Re: mod_log-any/5747 (fwd)
Date: Mon, 21 Feb 2000 11:41:17 -0700 (MST)

 ---------- Forwarded message ----------
 Date: Sat, 12 Feb 2000 15:57:25 -0500 (EST)
 From: TTSG <tt...@ttsg.com>
 To: Marc Slemko <ma...@znep.com>
 Subject: Re: mod_log-any/5747
 
 > 
 > Sorry, I think you had better look again.  The client doesn't send it,
 > period.  If it did sent it in some cases, then that would be a major
 > security hole and should be fixed in the client.  As it is, allowing this
 > to be specified in the URL is a security hole and should never have been
 > implemented by browsers.  The way it is implemented is a hack that only
 > partially works and has numerous problems.
 > 
 	From a Netscape server log :
 
 format=%Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%] "%Req->reqpb.clf-re
 uest%" %Req->srvhdrs.clf-status% %Req->srvhdrs.content-length% "%Req->headers.r
 ferer%" "%Req->headers.user-agent%"
 
 208.33.224.36 - - [12/Feb/2000:12:54:27 -0800] "GET /protected/news2.htm HTTP/1.
 0" 401 223 "http://furer:deg6@207.87.7.16/mea1x.htm" "Mozilla/4.03 [en] (Win95; 
 I)"
 
 
 			Tuc/TTSG